Today’s workers are experiencing more freedom thanks to the explosive adoption of mobile devices in the enterprise. However, with an increasing amount of devices connecting to the network, IT administrators now have an overwhelming amount of information to monitor, and most of the time there are gaps in visibility to all of the devices trying to connect to the network. Aruba Clearpass offers your IT department a way to protect your data while allowing authorized users the ability to access information on the go or in the office.
Before we dive into some frequently asked questions about ClearPass, it will be beneficial to discuss some of the misconceptions between wired and wireless networking out there. Wired is a very challenging thing to do, given that you have open ports out there. Anybody that walks into your environment can just plug in, making it important to secure the wire. Securing wireless is much easier, because the wireless is just one component controlling the entire wireless. With a wired connection, there are different switches, ports, and they all have to be identified compared to wireless access. With ClearPass, this identification process can be accomplished more easily. We're able to understand or communicate with most of the major vendors out there, so that makes it easier to really authenticate any devices connecting through any type of switch out there. It isn’t even necessarily authenticating the switches, but ClearPass can also act as a TACACS server. If the user admin's, or the IT admin's, trying to get into a switch, we can securely provide access into those switches, either at its full access, or read-only access.
One of the main benefits of ClearPass is that it plays well with other technologies and systems. Nowadays many environments are not comprised of solutions from just one vendor. You may have a Cisco switch, a Palo Alto firewall, and of course you want to make sure that any product you put in your environment will be able to communicate and exchange information with all the different components. There is no such thing as vendor lock-in—you are essentially future-proofing your investment with ClearPass.
ClearPass is very flexible and it can do a lot. In fact, most customers are not currently using ClearPass to its full potential. IT teams can authenticate devices from a wireless, wired, or even from a remote VPN perspective. With VPN, you can authenticate it against most major vendors out there too, such as Juniper, Avaya, Cisco, Fortinet, etc. Talk to a trusted IT solutions provider and you will realize it is tough finding vendors ClearPass doesn’t cover from an integration perspective.
2. How can I see IoT devices on my network?
Just because you can't see it doesn't mean it's not there! Many companies have no idea what's out there when it comes to smart devices. ClearPass can identify all those wired and wireless devices, including IoT devices. Companies have experienced numerous security issues with IoT devices and ClearPass can dynamically profile (with different mechanisms to profile devices) and that profile information can be used to determine what type of policy or access that device should have while connected to your network.
If the appropriate profile information is provided, it becomes quite easy to determine what is out there on the network. Different policies can then be applied to any device, including IoT devices such as a printer. For example, that process would identify the device as an actual printer and then send a VLAN or an access list to segment that particular printer from the network. This device would be segmented differently than a laptop or a phone. The key takeaway with this is that every port can be treated the same way. Aruba refers to this as “dynamic segmentation.” With dynamic segmentation, it doesn't matter which port is being connected because different access policies can be assigned anywhere in the environment.
3. How can ClearPass provide secure access to guests?
It's important to understand there are different types of methods for authenticating devices. Aruba ClearPass is able to do this very well. ClearPass is able to authenticate devices using 802.1X certificate-based authentication and is also able to authenticate devices using captive portal. This is a very customizable module where the captive portal page can be made with different fields. For example, if a user gets into the environment and they're trying to get guest access, a sponsor type of access can be provided. In this instance they will need to provide the email of the person that they're visiting in order to get access to the network enabling organizations to securely allow visitors to get guest access to the network.
Another method for this can be accomplished by having the front desk create an account for the user that will only be valid for a certain amount of time, whether the guest needs access for a day, week, or longer, depending on how long that user will be onsite.
4. How does Aruba ClearPass address challenges with BYOD?
BYOD is a clear point of emphasis for ClearPass capabilities. ClearPass allows for self-service on-boarding which allows users to onboard their own devices to the network. ClearPass can generate a unique certificate, which can be used to then revoke access into the network if the device is misbehaving.
4a. How does Aruba ClearPass the address the unique challenges of BYOD in a college campus environment?
Students are bringing more devices to their college dorm than ever before. Outside of the expected devices, like an mobile phone and laptop, students are trying to connect video game consoles, Amazon Alexas, smart TVs and devices, tablets, and more. Many of these devices are not able to perform 802.1X authentication. For many of those devices there is no way that a username and password can be entered to get those devices connected to the network. This is a concern for many IT professionals on college campuses because in a lot of institutions the standard process is that a student goes to the IT help desk to register a device. This is not an efficient process, and it certainly doesn't scale very well.
With ClearPass, a workflow can be created to present a page to students to self-register and manage their own devices. If the student wants to provide access to another student or somebody else in their dorm they can actually do that as well. Students can manage and register their own devices, and IT/network administrators can prevent other users from being able to see those devices on the network. Users have the capability to control and provide access to whoever they want. IT administrators can also identify those devices and can assign the correct access policy into the network as well need be. This puts the power in the hands of the users.
5. How can I tell if the devices on my network are secure?
It's great that ClearPass can provide you the visibility needed to see all of the devices on the network, but how do you really know if any of those devices have already been compromised? Which devices have vulnerabilities that could be exposed once they are on your network? ClearPass can check the health of each device. It can check, for example, if the device is running an antivirus, or whether it's running the latest version of the antivirus, the same way an IT administrator can check whether a laptop is running the latest Windows updates. Before the device is granted access, the IT team can ensure the device meets the security requirements set by the organization. At this point ClearPass enables this feature for Windows, Macs, and Linux devices. This ensures that security strategies are being implemented correctly, and the monitoring aspect provides you that level of visibility needed to be confident your network is secure.
Typically, networking and security teams are the two main drivers of adoption for Aruba ClearPass, but more often than not, it’s security. At the end of the day, it's about the visibility and security at the edge. You want to understand what's out there. You want to make sure that devices are getting the proper access. You don't want an IoT device to be on the same VLAN as your trusted laptops. With ClearPass you can identify, classify, and enforce.
It’s also important to note that Aruba ClearPass is pretty hot right now in all verticals, purely based on the success stories companies are experiencing after deployment. The solution is so flexible that is can meet the needs of even the most unique needs at a wide-range of companies. At WEI, we are currently implementing Aruba ClearPass in healthcare and hospitals, financial services, higher education, etc. At the end of the day, Aruba ClearPass is about securing the edge and being able to exchange information with what you already have in place, meaning you don't have to go and invest in other solutions to get things working, which is always a big win for the IT team and the CFO.
Next Steps: Talk to the Aruba experts at WEI to better understand how a solution like ClearPass can benefit your business. Ask us about a wireless network assessment as well to find out how well your current wireless solution is performing and to help identify gaps in coverage.